What is going on here ?

Surely that editor window on the right hand side is a problem it doesn't have a sensitivity label on it ?

Answer is in the next picture:

This was a screenshot of Trusted Extensions running in VirtualBox with Seamless Windows mode turned on.The host was OpenSolaris 2008.05 (snv_91). Where I'm going next is to do it other other way around, so that the host is TX and the guest is also TX but with different label encodings.

What this does show is that even when TX is running as a virtualised guest the MLS enforcement for cut and paste still applies. The host was treated as "Trusted Path", which makes perfect sense in this case because it is the "hardware".

Allowing role to same role over network

The current implementation of pam_roles has an "allow_remote" module argument that allows the role to be assumed over the network when PAM_AUSER is set. Currently only ssh with hostbased user authentication sets PAM_AUSER.

It also only allows user to role not role to (same) role. However I believe that "role to (same) role" is actually much more useful. Consider the following example case:

Helpdesk users login on a workstation/Sun Ray or something not even running Solaris. They ssh (using any userauth method) to some "Trusted Host". This "Trusted Host" then has network routes to the production machines. It is also possible that "Trusted Host" has some stronger initial user auth (eg, OTP or SecurID).

The helpdesk user assumes a role on "Trusted Host" (this is audited on Trusted Host, maybe also has additional PAM modules to determine when roles can be assumed).

The user (now with ruid of the role) then uses ssh to connect to the appropriate production host as the role.

If no auditing is in use the user doesn't even need to be known on the production host at all just the roles. Even if the user is known they don't need to be allowed to login (eg using pam_list).

This is a reasonably common and in my opinion very sensible architecture. I've heard of this existing at several sites.

This can actually be achieved today by manually editing a roles user_attr(4) entry so that it has a "roles=" entry for itself eg:

	sysadm::::type=role;roles=sysadm;profiles=System Admin

However this can't be done using the rolemod(1M) or other admin tools since they currently believe that roles can't have roles.

A fix for this could be integrated into pam_roles so that "allow_remote" allows PAM_AUSER to be the role as well. However this now means that all roles can be remotely assumed by themselves. In my opinion that isn't any weaker a policy than what allow_remote already means.

It also makes sense to me that a role be allowed to "su - rolename" to itself - this has no audit impact but has the advantage of being a nice easy way to "clean" the environment. To allow that roles would need to be able to assume themselves regardless of the value of "allow_remote".

Allowing roles to have roles

In the general case, why can't a role have roles ?

I see no reason why not, in fact I can thing of many cases where allowing roles to have roles actually helps build a more understandable and usable policy.

Continuing with our helpdesk scenario above.

A slightly different implementation is that the user assumes the "helpdesk" role on their workstation and runs tools as helpdesk. Some of those tools need to remotely access production machines. However the users don't have accounts that can login on those remote machines. The only accounts that can login on the production machines are those that represent roles eg "dbadmin" and the "helpdesk" account.

In this case the "dbadmin" role is given to the "helpdesk" shared account as well as some of the core database team.

For this to work we need to allow roles (helpdesk) to have other roles (dbadmin).

Again I think this is a perfectly reasonable deployment case, and one that is already in use without roles. By making helpdesk and dbadmin roles we can increase the security. If we stick with the current "roles don't have roles" then we weaken the security because now one or both of the "helpdesk" and "dbadmin" would be deployed as normal user accounts.

Like above this is actually already possible by manually updating the user_attr(4) entries for the roles, eg

	helpdesk::::type=role;roles=dbadmin
	dbadmin::::type=role;

To make this part of the proposal "official" requires updating the administrative interfaces. pam_roles doesn't need to be changed at all.

Changing OpenSolaris 2008.05 to use Xvnc for the default X server rather than Xorg is really simple. OpenSolaris 2008.05 uses GDM as the graphical login manager. GDM starts the X server using /usr/X11/bin/X (a symlink to Xserver). The Xserver program in /usr/X11/bin uses SMF to store its configuration properties. This includes the location of the "real" (or "virtual" in our case) X server program.

To switch to Xnvc:

$ pfexec svccfg -s x11-server 
svc:/application/x11/x11-server> setprop options/server = "/usr/X11/bin/Xvnc"
svc:/application/x11/x11-server> setprop options/server_args = astring: ("-SecurityTypes" "None")
svc:/application/x11/x11-server> end
$ pfexec svcadm restart gdm

Now use your VNC client to connect using the IP address of your OpenSolaris machine. You will get the OpenSolaris login screen. Note that we disabled VNC level security above, so lets now change things so that VNC only works over SSH port forwarding. We do this by telling the Xvnc server to only listen locally.

$ pfexec svccfg -s x11-server
svc:/application/x11/x11-server> setprop options/server_args = astring: ("-SecurityTypes" "None" "-localhost")
svc:/application/x11/x11-server> end
$ pfexec svcadm restart gdm

Now to connect we need to do somethink like this:

remotehost$ ssh -n -f -L5900:localhost:5900 opensolarishost sleep 100
remotehost$ vncviewer localhost

To switch back to a local X server:

$ pfexec svccfg -s x11-server 
svc:/application/x11/x11-server> setprop options/server = "/usr/X11/bin/Xorg"
svc:/application/x11/x11-server>setprop options/server_args= ""
svc:/application/x11/x11-server>end
$ pfexec svcadm restart gdm

Seems like for some reason I didn't actually post this when I wrote it on Jan 10th 2008, so I'll post it now

I've just read over the PC World "10 Worst Keyboards of all time" article. Out of the 10 there was only 3 I hadn't actually used (the IBM PCjr, the original PET, and the Atari 400. All the others I've actually used at least once. I found it interesting on the selection of the Sinclair keyboards, the ZX Spectrum one suffered all the same problems as the Timex 1000 but the metal "cover" also came off over time. I replaced the key membrane on my speccy at least once and upgraded the heat sink to try and stop it failing again (didn't really help in the long run)).

My current vote for the worst keyboard of all time is actually the iPhone/iTouch - yes it doesn't have a real keyboard but an on screen touch one instead, and the later lacks Bluetooth for connection of a "real" keyboard. I don't own an iPhone/iTouch just played with friends so maybe it gets better over time.

My favourite keyboard - Sun Microsystems Type 7 (USB) US UNIX layout. The layout is critical despite being a Brit I hate the UK keyboard layout with a passion it sucks for writing C or shell code because " and # get moved! The UNIX layout is also important so that Control is on the same row as return - caps lock has no use since I stopped writting COBOL code.

My current home machine is a first generation (ordered the day after the announcement) PPC Mac Mini. I initially ordered it with 512Mb RAM and no WiFi or Bluetooth. It has since been upgraded to 1G (the max this machine can take) and had the WiFi/Bluetooth added (and it now lives in the UK rather than California where it was bought). When I first bought it it was as a secondary machine to learn where MacOS was, I hadn't used MacOS since System 7 at that time. It soon became my our primary home desktop and got given gifts of a (wired) Mac keyboard and 20" Cinema screen in addition to its upgraded memory and wireless capabilities.

It has been serving us well but I feel like a new machine. While I love OpenSolaris and spend a huge number of hours developing for it and using it MacOS is what I want to continue using for my personal stuff for now (I like iTunes, iPhoto, Safari and more importantly so does my wife). So if the current PPC Mac Mini is to be repurposed it needs to be Apple hardware.

I titled this "Missing Apple Mac hardware", why ? I can't find a non laptop Mac that actually fits what I want in terms of computing resources and cost. Disk space isn't an issue I'd buy the machine in the lowest possible disk configuration because all my data is stored on a ZFS on a separate system running OpenSolaris and mounted on the Mac using NFS.

The best CPU/RAM combination I get buy on a current Intel Mac Mini is 2GHz and 2G RAM for £558. The next option is a Mac Pro and that starts at a wallet breaking £1,749, it is a nice workstation but out of budget for my desktop machine. There is Mac hardware in between that price range but with, for me, a fundamental problem because it has an integrated LCD and comes with a keyboard. Now integrated systems are great I remember fondly using the Sun ELC workstations at University and my current Sun machine at home (and the office) is a Sun Ray 270 (ultra thin client with integrated LCD). However I like my 20" Apple Cinema display and I want to keep using and it doesn't need to be replaced, same for the keyboard/mouse.

The Apple Mac I want to buy would have a CPU around 2.4 to 3GHz and 4G RAM, a single disk and a reasonable graphics card - this isn't a games machine (I use consoles or my phone for games these days) - for helping with photo processing. Of course it should be "green" in that it should allow me to reuse my existing LCD monitor and keyboard (both Apple products!). Pretty much something like a Sun Ultra 20M2but capable of legally running MacOS X 10.5 and for about that price

So Apple where is my missing Mac ?

Update: I know I can do dual monitor on with an iMac (first saw that on a mono SE30 with an external colour display and putting windows "across" the boundary it was done perfectly!) but I already have two monitors on the desk (the Sun Ray 270 mentioned above) and I don't really have space for another one. The big issue with the top end Mac Mini is the memory only goes to 2G according to Apple and some of that will be taken away by the Intel GMA graphics. One of the reasons I need at least 4G RAM is that there is always two users logged in (with fast user switching) to this machine. A bit of space to upgrade beyond 4G of RAM would be nice.

With the recently added ability to sign PKCS#10 certificate request files the pktool(1) command of OpenSolaris can be used as a very simple Certificate Authority, similar to what can be done with the openssl(1) command but in my opinion in a much clearer way and actually providing stronger security. I'll outline the basic commands below but some external "database" will be needed to keep the serial number count and some other state needed to be a useful CA.

First Generate root CA - this is by definition self-signed

admin$ pktool gencert keystore=file outcert=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1 outkey=myCA.key

Generate a user CSR in PKCS#10 format

user$ pktool gencsr keystore=file outcsr=sample.p10 \
  subject="CN=darren,OU=people,DC=EXAMPLE,DC=COM" outkey=sample.key

Sign the PKCS#10 CSR with the root CA

admin$ pktool signcsr keystore=file signkey=myCA.key csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"

Increasing the CA security

admin$ pktool gencert keystore=pkcs11 label=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1
Enter PIN for Sun Software PKCS#11 softtoken  : 

We now have the key in a PKCS#11 accessible keystore that is PIN protected, the sign operation is almost the same:

admin$ pktool signcsr keystore=pkcs11 signkey=myCA  csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001 \
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"
Enter PIN for Sun Software PKCS#11 softtoken  :

Note that we didn't explicitly specify the PKCS#11 token to use but pktool(1) allows us to do so.

Similarly the user can use a PKCS#11 keystore when they run gencert.

A few hopefully helpful links for OpenSolaris/JDK developers in the transition to mercurial (hg).

• Distributed revision control with Mercurial: http://hgbook.red-bean.com/hgbook.html
• Genunix.org Wiki on Mercurial: http://www.genunix.org/wiki/index.php/Mercurial
• Official Mercurial site: http://www.selenic.com/mercurial/wiki/
• webrev is being ported to mercurial by the OpenSolaris scm-migration project.
• My previous blogs on mercurial:
  • Migrating from Teamware
  • First draft of Mercurial Webrev support

I wanted a single ~/bin in my home dir that could cope with 32 vs 64 and SPARC vs x86 and also allow me to have CPU capability variants as well, ie sparcv9+vis2 and a generic sparcv8 variant. So I rewrote isaexec as a simple shell script, I don't know how long ago I did this but it was probably some time during Solaris 7 development (which is when isaexec first appeared), anyway below is the shell script. I have subdirs in ~/bin for each cpu/architecture and all the binaries are links to ~/bin/isaexec.sh

#!/bin/ksh

fname=`basename $0`
pathname=`dirname $0`

if [ ! -x /usr/bin/isalist ]; then
        arch=`arch`
        if [ ! -x $pathname/$arch/$fname ]; then
                echo "$0: cannot find the ISA list";
        else
                exec $pathname/$arch/$fname
                echo "$0: cannon find/execute $fname in ISA subdirectories"
        fi
fi


for isa in `/usr/bin/isalist` ; do
        execpath="${pathname}/${isa}/${fname}"
        
        if [ -x $execpath ]; then
                exec $execpath "$@"
                echo "$0 exec $execpath failed"
        fi
done

echo "$0: cannon find/execute $fname in ISA subdirectories"
exit 1;

This far from perfect shell script from a performance view point and could probably use much more shell builtin functionality if ksh (or ksh93) was used instead.

Casper just asked me: "How do you put your own project workspace on opensolaris.org?. So I wrote up email describing how I do it. Since I thought it might be useful I've included a slightly reworded version of it here.

It has to be in either Mercurial or SubVersion. If it is a project targeting the ONNV consolidation then Mercurial is the choice.

First create a local clone of the Mercurial onnv-gate like this:

    $ hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate myproject

Make sure your Teamware gate is at the same point. Now do a 'wx backup' of your teamware workspace.

Untar the ??.clear.tar file from the wx backup directory into the myproject directory.

Check this still builds - it should but you will need to get the closed-bins tar file that match your clone of onnv-gate since you don't have usr/closed.

If it all built find commit this to your local repository

$ hg commit

You now need to create a repository on opensolaris.org to host this. In your project page there is an "SCM Management" link that is shown only to project leads. Click that. On the left hand nav-column there will then be a link "Add Repository". Fill in the form.

The Anonymous here means allow anyone to pull from the repository, if you don't tick that then only people with an opensolaris.org account with loaded ssh keys can do a pull (I generally allow it as do most projects I believe). Project leads can always do a push, and you can delegate that to people who are listed as observers too.

The name you give is tagged on the end of your project URL. So if you say "gate" you will end up with:

    "ssh://hg.opensolaris.org/hg/fgap/gate"

The notification email gets every push message, so choose wisely what you set this too. Some projects use a dedicated -notify@ alias others just use their -discuss@ alias.

You are now ready to push your changes so lets configure your local copy of your Mercurial repository with the paths. Add the following to the .hg/hgrc file in your myproject dir:

[paths]
default=ssh://username@hg.opensolaris.org/hg/myproject/gate
default-push=ssh://username@hg.opensolaris.org/hg/myproject/gate
onnv-gate=ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate

Now lets do the push:

$ hg push

You now have a populated repository on opensolaris.org. To do a resync with onnv-gate you do something like this:

# Make sure you are in sync with the fgap project gate
$ hg pull
# Merge if needed
$ hg merge

# Now pull in the onnv-gate changes
# if you want a specific build you can say -r onnv_80 after the pull
# Note this uses the path alias we defined above to avoid using the full URL
$ hg pull onnv-gate
$ hg merge
$ hg commit
$ hg push

Hope this helps.

Note that for all this push/pull to work as your user you need to have your ssh pubkey uploaded for opensolaris.org. If you have ever voted you have done that already.

While on a trip back to Scotland to visit my parents I visited the school I attended, Auchenharvie Academy in Stevenston. This wasn't pre-planned; my Mum & Dad are foster parents and one of the boys they foster is due to move up to secondary school (high school, grade 8+, what ever you call it where you come from) and they had recently visited my old secondary school on open night. My parents got talking to Mrs Anderson one of the Computing teachers and my Mum mentioned that I worked for Sun and was an ex pupil, he up shot was an open invitation for me to go an talk to the students taking the computing classes.

I spoke to the higher (grade 12) computing class (about 10 students) about how I got in to computing as a career and what it is like working for Sun. I hope the students found it interesting, I certainly found it very interesting how much they are learning (some of what they cover wasn't covered until the 2nd year of my degree course) and it was fun to talk with them and the teachers.

I left them with an open invitation to contact me on my work email address if they have any follow questions about anything, I hope to hear from both the teachers and students.

Via several other Sun blogs I've found about about the new Presentation Minimizer for StarOffice/OpenOffice. Feels like strip(1) to me :-) From a security point of view this is really good. Templates are great but so many presentations get created out of other presentations rather than from scratch with the current "corporate" template. This means there is lots of potential "cruft" left lying around in the history, even more so if you have change tracking turned on (which I often do).

I hope this becomes a core feature in a future release. It might also be useful to extend it to warn about certain words in the presentation (eg Proprietary/Confidential being left in the master slide).

The message about OpenSolaris is obviously getting through to people. In a CBR (Computer Business Review) article about open sourcing of Microsoft Windows is this particularly telling sentence: "The Windows platform could compete equally with other non-proprietary OSs such as Linux and Solaris" . Yeah we are placed in the same "non-proprietary" camp as Linux. Now if only people could work out the difference between closed source and proprietary they aren't the same nor are they mutually exclusive (ie open source can be proprietary).

Until about a year ago I had been using good old xterm, (I used it under at least olwm,olvwm,twm,tvtwm,ctwm,fvwm,CDE,GNOME). I switch to using gnome-terminal since it appeared to be good enough, it was the default under GNOME (by current desktop of choice) and it had a few features I really liked (though some I sorely missed from xterm too).

Those I like from gnome-terminal and actively use are:
• Profiles - mainly for different coloured foreground (green,amber,white)
• "Right click ->Open Terminal" is very helpful since usually I can't see the desktop root window

Things I don't like about gnome-terminal:
• It can be slow compared to xterm when large amounts of text need to be written. For example the output of make going by really quickly
• It seems to be very sensitive to your local cwd becoming unavailable so much that all gnome-terminal windows lock up - even those with remote logins

Things I missed from xterm while using gnome-terminal:
• Different colour cursor (not the mouse pointer or shell prompt) from the main foreground colour
• Keyboard grab - I have this bound to the stop key on a Sun keyboard.

So why is it welcome back xterm ? Basically it is the performance. I use Sun Ray most of the time now, and Sun Ray at home over a 1Mbps ADSL line is perfectly usable providing I use xterm and not gnome-terminal.

I should also say that my xterm config isn't default and it is customised so that the Sun keyboard Copy/Paste keys work

I find it interesting and slightly sad, given how low level a topic this really is, how much is being written about the new CFS scheduler being introduced into Linux. The sad part is how much flamage is flying around as a result of this from people not in the slightest bit involved in the desgin and development - this sadly is the ugly side of many open source groups.

OpenSolaris has multiple scheduling classes as well, actually Solaris had this and OpenSolaris inherited it when the source was opened up - but there is active work in this area going on, and the ability to realtively easily add more. You can also change the dispatch tables of the existing ones - even on a live running system (see dispadmin(1M) and ts_dptbl(4)

For some more info on how OpenSolaris does scheduling and how it is integrated into the rest of the resouce management system see this excellent intro to the topic by Eric Saxe.

As you hopefully see from Eric's presentation the scheduler is only a small part of the over all resource management issue and ensuring fairness. OpenSolaris builds on the scheduler by using things like processor pools. I particularly like the Fair Share Scheduler (FSS) class. The Sun Ray server that I use at work (and at home via VPN) uses FSS so that users can't dominate the server cpu resources.

I find it very cool that you can even use different scheduling classes for zones (actually you can do it per process but mixing FSS with TS/IA in a given processor pool isn't recommended). If all that wasn't cool enough all the policy for FSS (and much other projects stuff related to resource management) can be stored in LDAP so it is easy to implement a network wide policy.

The following is a small patch to the FreeRadius pam_radius_auth source to allow it to compile with the Sun Studio compiler and the Solaris linker.  It also changes the resulting module to use the MD5 functions from libmd rather than its own local copy.

--- pam_radius-1.3.17/Makefile  Mon Mar 26 05:22:11 2007
+++ pam_radius-1.3.17-djm/Makefile      Fri Jul 27 11:16:32 2007
@@ -15,7 +15,8 @@
 #
 #  If you're not using GCC, then you'll have to change the CFLAGS.
 #
-CFLAGS = -Wall -fPIC
+#CFLAGS = -Wall -fPIC
+CFLAGS = -KPIC
 #
 # On Irix, use this with MIPSPRo C Compiler, and don't forget to export CC=cc
 # gcc on Irix does not work yet for pam_radius
@@ -54,8 +55,9 @@
 #
 #      gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so
 #
-pam_radius_auth.so: pam_radius_auth.o md5.o
-       ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+pam_radius_auth.so: pam_radius_auth.o
+#      ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+       ld -G pam_radius_auth.o -lmd -lpam -o pam_radius_auth.so
 
 ######################################################################
 #

Note that with this patch you will still get warnings when compiling the pam_radius_auth.c file due to differences in the function prototypes for libpam functions such as pam_get_item().  The pam_radius_auth.c assumes that const void * is used for some function arguments in libpam, on Solaris some of these are const char *.  These warnings can be  ignored. 
 

"6543566 RNG does not need to be in closed source" got integrated recently but for some reason I forgot to post this (it has been sitting as a draft for a while, oops).  
This means that the OpenSolaris Crypto Framework driver for the on CPU chip
Niagara 2 is now available from OpenSolaris under the CDDL as another good 
example of how to write a plugin for the crypto framework.  

When OpenGrok gets updated on the next pass you can see it at this link.

The design review for phase one of the OpenSolaris ZFS Crypto Project starts now, details on how to participate are here.

I've upgraded my laptop from build 61 of Solaris Express to build 64 yesterday.  A few nice security features have integrated since then and the first delivery of the Network Automagic (NWAM) project.  I'd been using NWAM for quite some time now but this was the first chance I've had to use it with WPA (which I wrote about here). 

I tried a little experiment to see how automatic NWAM can be in the face of things like WPA.  So I set my router/AP to open (with MAC restriction still on) and let NWAM connect my laptop to my local LAN.  No problems.  From another machine I then changed the router/ap to use WPA and set a PSK passphrase.  As soon as I hit apply Solaris notices the connection drop and after a few seconds NWAM pulled the interface down.  Once NWAM scanned again (which by default is every 2 minutes) I got prompted graphically for the WPA passphrase for my network.  Entered it in and I was reconnected.  No bringing up preference panels or reconfiguring anything, all just automatic.   If I choose to use wired ethernet instead I just plug in the cable and NWAM automatically switches to wired ethernet.

When I started up GAIM (snv_64 still has 2.0.0beta4 not Pidgin yet) I got prompted to create a GNOME keyring master password.  GAIM migrated all my IM and IRC account passwords into the GNOME keyring.  I ranted about this previously, glad to see that in Solaris Express builds we now use the GNOME keyring.

OTR for GAIM (or it might be Pidgin by then) is in the works as well.

I'm getting really fed up with the constant rantings on all sides about what Sun should to about the license on the ZFS code so that Linux can use it.  Apparently Sun is the bad guy because ZFS is under CDDL and not GPLv2 and we are purposely doing that so Linux does not get ZFS, personally I don't agree but each to their own opinion and licensing is worse than religion in open software development. 

There is already a port to FreeBSD and rumours abound that it is in a future release of MacOS, without the CDDL those might not have happened. 

There is also a port of ZFS to FUSE which means Linux users can use it that way.  Performance won't be great with FUSE but it is probably acceptable.  FUSE is a great tool and I can't wait until the Solaris port is ready - because then Solaris can read Linux ext based filesystems that way!

Now about that headline, yes I really did say that ZFS code is already available under the GPLv2.  I will be completely honest though and make it clear that it isn't all of the ZFS source.  It is, sufficient amount to be able to boot an OpenSolaris based system from GRUB, that means that support for mirroring and the checksum and compression support is there but radiz isn't nor are the userland commands.   It is possible that this might be enough to get someone started.  Still don't believe me check out the updated GRUB source on opensolaris.org, specifically all the files with zfs in their name - every single one of them under the GPLv2 or later.

Update:  While I appreciate some of the comments posted I'm not going to let my blog be a place to post other peoples opinions on CDDL vs GPL.  So I've deleted some comments, if that annoys you because I deleted your comment, tough luck this is my blog and my policy and thats how it is.  Comments are now closed.
 

This is part 1 of N (where N is yet to be defined but I intend for N > 1) where I'm going to describe some sudo functionality and explain how to do the equivalent thing with OpenSolaris RBAC.   There won't always be an exact match because the functionality of sudo and RBAC doesn't line up 1:1, each can be configured to do things the other can't.  In general I'm going to try and show how to do things rather than trying to justify why RBAC or sudo do things they way they do.  Where relevant I'll point out how they differ in solving a particular task.

Lets start with an easy case.  I want to give the user 'darrenm' the ability to run any command as root using sudo but don't require them to authenticate.   Lets first implement this with sudo: in /etc/sudoers we add this entry:

darrenm ALL= NOPASSWD: ALL

Lets try a simple example to show it works:
islay:pts/4$ id -a
uid=35661(darrenm) gid=10(staff) groups=10(staff)
islay:pts/4$ sudo id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)

Great that appears to be working.

Now lets see how to do the same thing with OpenSolaris RBAC. There is a pre-defined RBAC profile that allows a user that is granted it the ability to run any command with the uid and gid of root.  We use usermod(1M) to give that to our user.

# usermod -P'Primary Administrator' darrenm

Now lets try our simple test again:

islay:pts/4$ id -a
uid=35661(darrenm) gid=10(staff) groups=10(staff)
islay:pts/4$ pfexec id -a
uid=0(root) gid=0(root) groups=10(staff)

You will see that there is a subtle difference in the output of 'id -a', I explicitly passed the -a argument so that I could point out the difference between sudo and RBAC here.  In this case is is mostly irrelevant but sudo has done an explicit initgroups(3C) call so all of the root users
supplementary groups are setup as well.  The RBAC pfexec(1) command didn't do that it just changed the attributes defined in the RBAC profile, in this case that is just the real uid and gid the process runs under.

Lets look at how this was actually defined in RBAC: 

$ grep 'Primary Administrator' /etc/security/exec_attr
Primary Administrator:suser:cmd:::*:uid=0;gid=0

This says that for all commands (thats the '*') set uid and gid to 0.  Lets also see how it was assigned to the user:

$ grep ^darrenm /etc/user_attr 
darrenm::::type=normal;profiles=Primary Administrator

We could have manually edited /etc/user_attr (or the nameservice equivalent) rather than,running usermod as we did above.
Now all you need to do is retrain your fingers to type 'pfexec' as the prefix to commands you want run as root rather than prefixing 'sudo'.

Thats all for now.

I've often seen a request for restricting users to having a single login session to a given machine at a time.  I've also seen requests for having a single login session network wide.  

My response to the first of these is usually, write a PAM module to do it, probably using the data stored in utmpx/wtmpx or have the module keep its own state.

My response to the second is usually - this is a much harder problem to implement client side and it is probably better to solve this in a networked authentication service such as in the LDAP directory by having it deny the login. However that can cause other problems; particularly in large deployments where there are multiple directory servers and where users need to authenticate to the LDAP server not just for initial login but for viewing the address book or for IMAP or SMTP authentication.

The first of these came up again yesterday on the general OpenSolaris discussion alias.  Instead of my usual "write a PAM module" response I worked out how to do this using the OpenSolaris resource control framework and no coding. 

 Here's how to do it:

Put each user into their own resource control project, see project(4) and resource_control(5) man pages for more information.

For each of those user projects set the maximum number of tasks that can be created to be 1.

For my example user 'jru' add this to /etc/project (or the project(4) database in your nameservice) to limit them to one login session.

Either edit /etc/project with an entry like this 

 user.jru:100::::project.max-tasks=(privileged,1,deny)

or use the projadd(1M) command like this:

 # projadd -K 'project.max-tasks=(privileged,1,deny)' user.jru

This uses the special 'user.' syntax which also makes this the initial project for the user jru. For this to work you also need to make sure that the user is NOT part of the special 'default' project, otherwise they would be able to use newtask(1) to create more tasks. To do that make the 'default' project not contain any users at all by setting the list of users in the project to '!*' eg:

default:3::!*::

This requires that all users on the system explicitly be a member of some project, either one for their user or assigned one they share with other users using the project keyword in user_attr(4) or a 'group.' project that is implicit based on their unix group membership. This is required since users are normally always in the 'default' project that we have just excluded all of them from.  If you don't do this they won't be able to login at all.  

Note that the root user already has a special 'user.root' project defined for them in the standard /etc/project file.

This is how it will look to users:

An attempt to login a second time (ie create a new task in the project) will fail, eg:

$ ssh jru@localhost
Resource control limit has been reached
$

An attempt to create more processes than is allowed will fail  something like this: 

$ sleep 500 &
zsh: fork failed: resource temporarily unavailable
 

All pretty easy and remember that you can do this network wide by putting the project(4) database in your nameservice of choice (NIS, NIS+, LDAP).

Update With respect to the comment from James: tasks are NOT UNIX processes.  
Limiting the number of tasks a user can create does NOT limit the number of processes, so it doesn't
impact using pipes.  In normal operation the only time a new task is created is at login time or by
explicitly running newtask(1) to create one or change the task a give process is in.  tasks aren't a UNIX thing
but are part of the Solaris extended accounting system.  Maybe I confused the issue by mentioning that
for a given project you can also limit the number of processes a user can have.  To avoid that confusion
in the future I've removed that part so we only talk about tasks now.

 

To change the configuration of the ftp daemon on Solaris so that it will only accept authentications from clients with GSS-API (probably Kerberos)

$ svccfg -s ftp setprop inetd_exec = "/usr/sbin/in.ftpd -a -K"
$ svcadm refresh ftp

For years I've wanted some eye candy way to show of the cryptographic framework, but when it comes down to it crypto just isn't that sexy when it comes to demos.

Well now at least there is a GUI that we can use to show what the framework is doing.  The jkstat project just started up on OpenSolaris, some of the screenshots of this look great.

We will be able to use this to display the kstats that the kernel crypto framework and its providers export to show visually what is going on. 

Even better I get to talk to the main author about this in person since he is one of the members of the London OpenSolaris User Group.   Hopefully I can sign him up to give a talk on this at one of our up and coming meetings.

Yesterday marked a new day for blogs.sun.com/security instead of just being an RSS feed of the Sun Alerts it is now a community blog for us security geeks.  Also by some nice coincidence Jonathan Schwartz did me a huge favour and gave me something to post that I thought was relevant to blogs.sun.com/security instead of just posting it here :-)

Just some notes on porting Racoon to OpenSolaris that might be useful for any Google Summer of Code student who gets assigned to that project.

The first hurdle is the simple naming of some types, the Racoon code for some reason uses u_int32_t instead of uint32_t after running configure add the following to config.h:

#ifndef __P
#ifdef __STDC__
#define __P(p)  p
#else
#define __P(p)  ()

#endif
#endif  /* !defined(__P) */

#define u_int8_t        uint8_t
#define u_int16_t       uint16_t
#define u_int32_t       uint32_t
#define u_int64_t       uint64_t

Raccoon seems to assume that the host has the KAME policy extensions available, OpenSolaris doesn't have this. Instead we have <sys/pfpolicy.h> so Racoon needs to be ported to the OpenSolaris PF_POLICY system.

Getting GSSAPI support working would also be very good.  The configure script trips on because the OpenSolaris /usr/bin/krb5-config script doesn't have an option for GSSAPI.

The rest is well thats up to whom ever picks up this project :-)
 

Great news from Adobe, no sadly not the news that we finally have an upto date Acroread for Solaris x86, but that for Solaris on x86 and SPARC the beta version of Flash 9 is available.  To get this go to the Adobe labs page on flash 9 and scroll down to the getting started area and find the link that says "Download and install Flash Player 9 Update beta".  Note if you click the link in the side box near the top of the page you will be directed to the download page for Flash 7 not the beta of Flash 9.

Thanks to the Adobe and Sun engineers who have been working on this.  Now can we PLEASE get Acroread for Solaris x86 that is current; evince from GNOME is great and I use it a lot, just like I mostly use Preview on MacOS X but when the rare times come that I need to fill in PDF forms I really need a current Acroread. 

Are a UK citizen and care about the use of open & standards based formats, rather than proprietary vendor specific formats like those used by Microsoft Office, for storing and distributing government information ?

If so please sign this official petition to the PM.
 

An inital prototype of a driver for the VIA Padlock has just been pushed into the OpenSolaris crypto framework.  At this time it only supports SHA-1 and SHA-256.  The plan is to get support for AES, RSA and random number.  Ultimately this driver should appear in the main ON consolidation of OpenSolaris and be available on all distributions including future Sun releases of Solaris.

Many thanks to Derek Morr for sharing his work on this via OpenSolaris.